03-28-2024 09:35 AM
Is it possible to build an IPSec VPN tunnel between a cEdge device and Zscaler with the source of the tunnel being in the service VPN say VPN 5 rather than VPN 0?
03-28-2024 12:11 PM
Hi,
tunnel can be in service VPN, but source destination should be via VPN0.
Note: Service-side tunnels, where the tunnel interface itself resides in the service VPN, but the
source and destination of the tunnel resides in the transport VPN is supported only for IPsec
tunnels for both vEdge and IOS XE SD-WAN routers
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-zscaler-deploy-guide.html
04-03-2024 11:10 AM
Hi Kanan,
Thanks for the prompt response.
I followed the second document you referred to, as this more what I'm trying to implement (IOS-XE (WAN Edge B) - Service side tunnel).
I built the IPsec tunnel with the tunnel interface in VPN/VRF10. all configuration loaded OK. However, the tunnel never comes up. I tried this on vmanage 20.6 and 20.12 and got the same results. I'm somewhat perplexed with page 81 of https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/zscaler-cisco-sdwan-deployment-guide-2020feb.pdf it asks to setup 12.1.1.2 and 12.1.2.2 as the next hop addresses.
Prefix(vpn1_ipv4_prefix_to_zscaler) = 0.0.0.0/0
Address(vpn1_next_hop_zscaler_remote_end1) = 12.1.1.2
Address(vpn1_next_hop_zscaler_remote_end2) = 12.1.2.2
Where are these addresses configured on the Zscaler side?
On a somewhat related topic, I have not managed to locate the Change mode section as requested in 3.3.13 in 20.12, vmanage doesn't show that option.
Configuration>Devices in 20.6
Configuration>Devices in 20.12
As you can see from the 2 screenshots the "Change mode" option is not visible in 20.12, is there a reason for this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide